How to Secure RDP

Remote desktop access is essential for any managed services provider (MSP) who needs to oversee remote devices and servers, whether across a city or across the globe. Remote access enables an MSP to quickly and efficiently solve a range of IT issues from anywhere, without wasting time on travel for in-person troubleshooting.

One well-known protocol that makes remote desktop access possible is Microsoft’s Remote Desktop Protocol (RDP). RDP is supported by all Windows devices and is the oldest desktop sharing application out there. RDP opens a “listening” socket that accepts authenticated inbound connection attempts over port 3389. While this results in quick, responsive, and authenticated remote access to a Windows machine, RDP is prone to cyberattacks. Because of this risk, MSPs should understand how RDP works and what best practices can be implemented to maintain data security.

What protocol does RDP use?

RDP is part of the ITU T.120 family of Microsoft protocols, meaning it is a multi-channel protocol that relies on separate, virtual channels for sending presentation data, device communication, licensing information, and encrypted keyboard and mouse data between servers. It can also be used to redirect functions such as audio and printing.

RDP supports up to 64,000 separate channels for data transmission, giving it a large base on which it can build and expand its capabilities. Some of the most notable features included are:

  • Multipoint data delivery: This allows data from an application to be delivered in real-time to multiple servers without delay.
  • Encryption: RDP encryption uses a cipher from RSA Security, the company which created one of the most highly respected public key cryptography algorithms. This cipher helps protect data sent over the networks.
  • Bandwidth reduction: Through data compression and caching of bitmaps, glyphs, and fragments in RAM, RDP improves the speed and performance of data transfers over low-bandwidth connections.
  • Disconnect capabilities: RDP users can disconnect from remote desktop sessions without logging off. When they do decide to log off, they are automatically connected to their disconnected session when they log back in.
  • Clipboard sharing: Both the remote and local computer can share the clipboard. This means users can delete, copy, and paste text and graphics between applications and sessions.

RDP has evolved over the years and a number of new versions have developed. The latest, Version 10.0, includes an AutoSize zoom in addition to improvements for compressing graphics.

What RDP security measures does Microsoft implement?

There are two key things to consider when evaluating security—how the connection is created, and how the connection is secured. Microsoft uses several authentication and security functions to ensure both of these considerations are met:

  • Authentication levels: Both Legacy mode and Network Level Authentication (NLA) can be used to create a connection to a remote desktop. NLA is more advanced and has fewer weak spots for cybercriminals to exploit, making it substantially more secure than Legacy mode. When using RDP you have the opportunity to allow strictly NLA connections or those from the older legacy mode. Choosing NLA-only connections will help you safeguard your customer’s data.
  • Security layer: Remote Desktop Services (RDS) sessions can be secured using one of three security layers—SSL (TLS 1.0), Negotiate, and RDP Security Layer. Each layer varies in its security capabilities. While SSL (TLS 1.0) leads the pack with the highest security capabilities available, only the most secure layer supported by the client can be used. SSL (TLS 1.0) requires a digital certificate to prove the identity of the RD Session Host and encrypt any communication between the host and the client. The digital certificate must be issued by a certification authority or self-signed. If SSL (TLS 1.0) is not supported, RDP Security Layer will go into effect. It’s important to note that RDP Security Layer cannot be used in conjunction with NLA.
  • Encryption Level: While RDS connections are encrypted at the highest possible level by default, some legacy clients do not support it. In this case, you can manually select the most secure remote desktop encryption level accepted by the client. The four RDP encryption options are FIPS-Compliant, High, Client Compatible, and Low.

It’s imperative that authentication levels, security layers, and encryption levels are configured in your settings appropriately. This will ensure your customer’s sensitive data is protected from attackers at a baseline level.

Is RDP secure?

Questions surrounding RDP security have always existed, and for good reason. While Microsoft has gone to great lengths to secure RDP connections, weaknesses still abound. The most recent discussions have focused on the Credential Security Support Provider Protocol (CredSSP), an authentication provider that processes authentication requests. According to Microsoft, a vulnerability was discovered in unpatched versions of CredSSP that allowed attackers to relay user credentials to execute code on a target system. This put any application that relied on CredSSP for authentication at risk.

Microsoft has since offered a security update to remedy this issue, but other security concerns persist. Pre-existing encryption vulnerabilities, the use of lower-level encryption settings, and the general nature of remote desktops, with their open ports and power to grant administrator access remotely, all put data at risk. One of the most common attacks to befall RDS sessions is the man-in-the-middle attack, when an attacker secretly observes and possibly alters communication between two parties. Brute force attacks, which involve a hacker trying to gain system access through thousands of authentication attempts per minute, are also prevalent within the RDP space.

If you’re wondering how to secure remote desktop access, there are many best practices out there to address RDP security risks. A few of the most important ones to follow are:

  • Powerful passwords: Weak passwords with little-to-no variation, including numbers, unique characters, and letters, provide attackers with ample opportunity to access an account. Ensure your customers—and your team—are using long passwords with a minimum of 12 characters. Paraphrases, which string two or more unrelated words together, are especially powerful. Accounts should also be configured to lock a user out after three invalid attempts.
  • User restrictions: Not all administrator-level accounts on a computer need access to the Remote Desktop. Teach your customers and technicians the value of limiting remote access, thereby limiting the number of opportunities out there for hackers. These settings can easily be updated through the local and group policy management settings.
  • Regular updates: Updates are critical for any type of software because they ensure the latest patches are in place. Microsoft’s patch cycle automatically updates client and server Remote Desktops with the latest security solutions—just make sure you’ve enabled automatic Microsoft Updates in your settings.
  • Firewall safeguards: Placing the RDS behind a hardware or software firewall can help restrict access to the default Remote Desktop Listening port, TCP 3389. These firewalls are designed to ensure only legitimate requests reach your server.
  • IP address restrictions: Restricting access to the Remote Desktop port to an individual or group of trusted IP addresses is called “scoping” the port. This can be achieved through the Windows firewall. Scoping the RDP port means the server will not accept connection attempts from any IP address outside of the scope you have set. This takes pressure off the server by relieving it of the duty to process malicious connection attempts.
  • Multi-layer authentication: Implementing at least two unique forms of authentication can further safeguard sensitive data shared over the RDP. Software that offers usernames and passwords in combination with time-based one-time passcodes (TOTP) are considered especially secure.
  • Secure ports: A majority of brute force attacks on RDP are conducted using the default 3389 port. If you notice a suspicious number of failed login attempts on the Remote Desktop, you may have an attacker on your hands. Switching to a new port can help you shake the cybercriminal and keep your customer’s information out of harm’s way.

How do I restrict access to Remote Desktop?

There are several ways to restrict access and secure Remote Desktop. You can help your customer limit the number of administrators with access to the Remote Desktop and you can scope the port (limit access to specified IP addresses), as mentioned above. Restricting access to the Remote Desktop through either, or both, of these methods is a great way to protect systems from hackers searching for easy ways to enter and snatch highly-sensitive data.

To remove local administrators from RDP access and restrict access to a specified group follow these steps:

  1. Click Start on the desktop, then Programs/Administrative Tools/Local Security Policy.
  2. Under Local Policies, select User Rights Assignment.
  3. Navigate to Allow Logon Through Terminal Services (depending on your software, it may read, “Allow Logon through Remote Desktop Services”).
  4. Remove the Administrators group and leave the Remote Desktop Users group.
  5. Use the System control panel to add specific users to the Remote Desktop Users group.

These simple, straightforward steps can go a long way in your efforts to ward off attackers. To secure Remote Desktop by limiting which IP addresses can access it, follow these steps:

  1. Connect to the server via RDP.
  2. Open Windows Firewall with Advanced Security.
  3. Click on Inbound Rules in the left pane.
  4. Locate the RDP Rule.
  5. Right click the rule, go to Properties, and switch to the Scope tab.
  6. Once in the Scope tab, select the Remote IP Address section.
  7. Click the button next to These IP Addresses.
  8. Then select Add.
  9. If using a single IP Address, type it in the top text field and click OK.
  10. Repeat steps 3 and 4 for every IP address you’d like to add.
  11. You can also add an IP range by clicking on the button next to This IP Range.
  12. Type the start of the range in the From field and the end of the range in the To field.
  13. Repeat steps 6 and 7 for every additional range.

How to Ensure Your Customers Are Protected 

Your customers trust you with remote access to some of their most valuable assets. Avoid putting highly sensitive information at risk with remote access software that will help ensure you are following best practices and securely gaining an inside look into your customers’ systems.  SolarWinds® Take Control and Take Control Plus come with a number of built-in, business-grade security features that can help ensure your remote troubleshooting is secure. A good remote support software will help increase your customers’ trust and give you greater peace of mind through:

  • Improved encryption: Implementing Advanced Encryption Standards (AES) 256 data encryption allows remote software to keep data secure both in transit and at rest. Some software also leverages the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme to enable secure shared secrets between two endpoints.
  • Safeguarded session creation: This helps you establish boundaries and ensure sessions are initiated only by those with appropriate permissions.
  • Security compliance: Historical visibility with full session search, recording, and reporting paired with default data privacy features in some software can help ensure GDPR readiness and HIPAA compliance through default data privacy features.

FIPS-compliant open-SSL cryptographic modules are also available to aid compliance with rigorous cryptography standards.

  • Advanced authentication: Help safeguard accounts with multi-layer authentication [] methods via technician access permission settings, or through two-factor authentication (2FA) that requires both a username/password combination in addition to a tokenized protocol implementation.
  • Secrets Vaults: Safeguard passwords and credentials using the Take Control Secrets Vaults feature. Secrets Vaults seals your clients’ machine credentials in impenetrable vaults, quickly injecting the information to unlock access when needed, all without the technician, or end user, being able to see the content at any point.
  • IP designation: Designating which IP addresses can access the remote desktop helps ensure only authenticated users have access to your customer’s resources.
  • Timeout control: Idle session timeout controls are a good way to prevent hackers from stealing a session that has sat unattended for too long.
  • Clipboard deletions: Automatic clipboard deletions after sessions can help ensure sensitive data, like user credentials, don’t get stored after use.

A remote connection is a gateway to your customers’ most valuable assets—their machines, their IP, and, ultimately, their data. It’s important you take the right steps to ensure your remote access gains and maintains their integrity and trust.

Need a tool that allows you to securely access remote computers? Try Take Control free for 14 days.